iOS逆向 - dumpdecrypted工具砸殼

Appstore下載的App是蘋果加密過的, 可執行文件套上了一層保護殼. class-dump無法作用於加密過的App。所以，要想獲取頭文件，首先得破解加密的可執行文件，俗稱”砸殼”.

dumpdecrypted 就是砸殼工具，需要自行編譯。

1、下載工具

liuchendi@lovelyddtekiMacBook-Pro dumpdecrypted$ git clone https://github.com/s
tefanesser/dumpdecrypted
Cloning into 'dumpdecrypted'...
remote: Counting objects: 31, done.
remote: Total 31 (delta 0), reused 0 (delta 0), pack-reused 31
Unpacking objects: 100% (31/31), done.
Checking connectivity... done.

2、編譯

liuchendi@lovelyddtekiMacBook-Pro dumpdecrypted$ cd dumpdecrypted/
liuchendi@lovelyddtekiMacBook-Pro dumpdecrypted$ make
`xcrun --sdk iphoneos --find gcc` -Os  -Wimplicit -isysroot `xcrun --sdk iphoneos --show-sdk-path` -F`xcrun --sdk iphoneos --show-sdk-path`/System/Library/Frameworks -F`xcrun --sdk iphoneos --show-sdk-path`/System/Library/PrivateFrameworks -arch armv7 -arch armv7s -arch arm64 -c -o dumpdecrypted.o dumpdecrypted.c 
2015-12-23 15:44:16.429 xcodebuild[9345:206961] [MT] DVTPlugInManager: Required plug-in compatibility UUID F41BD31E-2683-44B8-AE7F-5F09E919790E for KSImageNamed.ideplugin (com.ksuther.KSImageNamed) not present
2015-12-23 15:44:16.490 xcodebuild[9345:206961] [MT] PluginLoading: Required plug-in compatibility UUID F41BD31E-2683-44B8-AE7F-5F09E919790E for plug-in at path '~/Library/Application Support/Developer/Shared/Xcode/Plug-ins/CodePilot3.xcplugin' not present in DVTPlugInCompatibilityUUIDs
2015-12-23 15:44:16.490 xcodebuild[9345:206961] [MT] PluginLoading: Required plug-in compatibility UUID F41BD31E-2683-44B8-AE7F-5F09E919790E for plug-in at path '~/Library/Application Support/Developer/Shared/Xcode/Plug-ins/ClangFormat.xcplugin' not present in DVTPlugInCompatibilityUUID
..........省略大部分log

liuchendi@lovelyddtekiMacBook-Pro dumpdecrypted$ ls
Makefile            dumpdecrypted.c     dumpdecrypted.o
README              dumpdecrypted.dylib

最後生成了 dumpdecrypted.dylib 文件. 這個就是等會需要用到的砸殼文件。 以後都能重複使用了,無須重新編譯。

3、定位需要砸殼的可執行文件。

appstore裏面的App一般位於/var/mobile/Containers/Bundle/Application/xxx 下面

這裏有一個小技巧:就是用 ps -e 命令找到所有進程，手機只開一個App，所以含有 /var/mobile 路徑的就是可執行文件的路徑. 這裏拿肯德基的官方app做例子,可以看到 KFC 關鍵字，所以這個路徑是正確的。

didi:~ root# ps -e | grep var
 2351 ??         0:20.04 /var/mobile/Applications/F2842AA9-F082-4EA1-8FAD-97BBAAA84D8F/KFC_BRAND.app/KFC_BRAND
 2360 ttys000    0:00.01 grep var

4、找到Doucument目錄位置

進入目錄下面，使用上一節介紹的cycript工具

didi:/var/mobile/Applications/F2842AA9-F082-4EA1-8FAD-97BBAAA84D8F/KFC_BRAND.app root# cycript -p KFC_BRAND 
cy#     [[NSFileManager defaultManager] URLsForDirectory:NSDocumentDirectory inDomains:NSUserDomainMask][0]
#"file:///var/mobile/Applications/F2842AA9-F082-4EA1-8FAD-97BBAAA84D8F/Documents/"

5、將dumpdecrypted.dylib拷貝到Document目錄下面

liuchendi@lovelyddtekiMacBook-Pro dumpdecrypted$ scp dumpdecrypted.dylib root@192.168.31.209:/var/mobile/Applications/F2842AA9-F
082-4EA1-8FAD-97BBAAA84D8F/Documents/dumpdecrypted.dylib
dumpdecrypted.dylib                                                                            100%  193KB 192.9KB/s   00:00

6、開始砸殼

進入Document目錄下面，執行 DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib相關的命令.

liuchendi@lovelyddtekiMacBook-Pro dumpdecrypted$ ssh root@192.168.31.209
didi:~ root# cd /var/mobile/Applications/F2842AA9-F082-4EA1-8FAD-97BBAAA84D8F/Documents/
didi:/var/mobile/Applications/F2842AA9-F082-4EA1-8FAD-97BBAAA84D8F/Documents root# ls
BIStorage  Backups  IDatabaseHelper  TCSdkConfig.plist	dumpdecrypted.dylib  imageFileCache.dat  tencent_analysis_qc.db
didi:/var/mobile/Applications/F2842AA9-F082-4EA1-8FAD-97BBAAA84D8F/Documents root# DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /va
r/mobile/Applications/F2842AA9-F082-4EA1-8FAD-97BBAAA84D8F/KFC_BRAND.app/KFC_BRAND 
mach-o decryption dumper

DISCLAIMER: This tool is only meant for security research purposes, not for application crackers.

[+] detected 32bit ARM binary in memory.
[+] offset to cryptid found: @0x68a08(from 0x68000) = a08
[+] Found encrypted data at address 00004000 of length 4620288 bytes - type 1.
[+] Opening /private/var/mobile/Applications/F2842AA9-F082-4EA1-8FAD-97BBAAA84D8F/KFC_BRAND.app/KFC_BRAND for reading.
[+] Reading header
[+] Detecting header type
[+] Executable is a FAT image - searching for right architecture
[+] Correct arch is at offset 16384 in the file
[+] Opening KFC_BRAND.decrypted for writing.
[+] Copying the not encrypted start of the file
[+] Dumping the decrypted data into the file
[+] Copying the not encrypted remainder of the file
[+] Setting the LC_ENCRYPTION_INFO->cryptid to 0 at offset 4a08
[+] Closing original file
[+] Closing dump file

會生成app砸殼後的文件xx.decrypted. 這裏就是 KFC_BRAND.decrypted

didi:/var/mobile/Applications/F2842AA9-F082-4EA1-8FAD-97BBAAA84D8F/Documents root# ls
BIStorage  IDatabaseHelper	TCSdkConfig.plist    imageFileCache.dat
Backups    KFC_BRAND.decrypted	dumpdecrypted.dylib  tencent_analysis_qc.db

然後就能用 class-dump 、 IDA 工具了.

流程還是比較簡單的、跟着步驟一步步來。

爲什麼要放在Document目錄下面？

沙盒意外的大多數文件沒有寫權限， dumpdecrypted.dylib 要寫一個decrypted文件, 它是運行在跟商店app中的，需要與商店裏面的app權限相同，所以寫操作必須發生在有寫權限的路徑下才能成功。

獲取頭文件

檢查一下砸殼後的文件是否能獲取到頭文件。

liuchendi@lovelyddtekiMacBook-Pro dumpdecrypted$ /Users/liuchendi/Desktop/class-dump -H /Users/liuchendi/Desktop/逆向/KFC_BRAND.
decrypted -o head
liuchendi@lovelyddtekiMacBook-Pro dumpdecrypted$ cd head/
liuchendi@lovelyddtekiMacBook-Pro head$ ls
ABNewPersonViewControllerDelegate-Protocol.h             MTAWXOPasteboard.h
ABPeoplePickerNavigationControllerDelegate-Protocol.h    MTAWXOReachability.h
ABPersonViewControllerDelegate-Protocol.h                MTAWXOSessionEnv.h
AMapViewController.h                                     MTAWXOStore.h
APAutoRotateImageView.h                                  MTAWXOStoreEvent.h
APHTTPRequestOperation.h                                 MTAWXOTestSpeedEvent.h
APIBase.h                                                MTAWXOUser.h
...........省略大部分